219 matches found
PT-2026-26870
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad func shortcode handl...
CVE-2026-2358
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...
CVE-2026-2358 WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...
CVE-2026-2358 WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...
PT-2026-24577
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp ulike likers box shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of html entity decode on shortcode attributes without subsequent output sanitization, which...
WordPress WP ULike plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin WP ULike versions = 5.0.1...
WordPress JS Archive List plugin <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute vulnerability
Authenticated Contributor+ PHP Object Injection via 'included' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin JS Archive List versions = 6.1.7...
CVE-2026-2020
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...
CVE-2026-1825
The CVE refers to CVE-2026-1825 for the WordPress Show YouTube video plugin (versions up to 1.1). The connected Wordfence report confirms a Stored Cross-Site Scripting vulnerability via the plugin’s shortcodes, exploitable by authenticated users with contributor-level access or higher. The descri...
CVE-2026-1823
CVE-2026-1823 (Consensus Embed plugin, WordPress) is a stored XSS vulnerability affecting all versions up to 1.6, caused by insufficient input sanitization and output escaping on attributes used by the plugin’s consensus shortcode. The CVE description specifies that exploitation requires authenti...
CVE-2026-1823 Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute
The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-1805
CVE-2026-1805 concerns the DA Media GigList WordPress plugin. It is vulnerable to Stored Cross‑Site Scripting via the plugin’s shortcodes (damedia_giglist) in all versions up to and including 1.9.0 due to insufficient input sanitization and output escaping on user‑supplied attributes. Authenticat...
CVE-2026-1820 Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmaltscdivupdatealttext' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...
CVE-2026-2020
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...
WordPress Show YouTube video plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Show YouTube video versions = 1.1...
CVE-2026-2020 JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...
CVE-2026-2020
The WordPress JS Archive List plugin (all versions up to 6.1.7) is vulnerable to PHP Object Injection via the shortcodes’ included attribute. The vulnerability arises from deserializing untrusted input, enabling authenticated attackers with Contributor-level access or higher to inject a PHP objec...
CVE-2026-2355
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...
WordPress Secure Copy Content Protection and Content Locking plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Secure Copy Content Protection and Content Locking versions = 5.0.1...
WordPress InteractiveCalculator for WordPress plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin InteractiveCalculator for WordPress versions = 1.0.3...